Pentagon officials warn contractors on their duty to comply with NIST standard ahead of CMMC

By Sara Friedman  / October 27, 2022

Defense contractors should not wait until the launch of the Cybersecurity Maturity Model Certification program to reach compliance with the Pentagon's cyber standard for handling of controlled unclassified information, according to Defense Department officials.

The Pentagon has required companies since 2017 to comply with NIST Special Publication 800-171 through DFARS 252.204-7012, CMMC Director Stacy Bostjanick said Wednesday at an industry event.

The CMMC program is a validation of compliance through a third-party assessment, Bostjanick said, while emphasizing that there are already mechanisms in place to monitor contractor compliance ahead of full CMMC implementation.

The Pentagon plans to issue an interim final rule in March 2023 to implement CMMC program changes announced in November 2021. Following a 60-day public comment period, Bostjanick said the expectation is CMMC requirements will start showing up in DOD contracts under a three-year rollout.

However, the Pentagon’s acquisition office in June issued a memorandum to acquisition officials reminding them of the current NIST 800-171 standard and potential remedies for non-compliance.

Contractors must make progress to close out remaining compliance issues through completing their plan of action and milestones, according to the memo signed by Defense Pricing and Contracting principal director John Tenaglia.

The memo says, “Failure to have or to make progress on a plan to implement NIST SP 800-171 requirements may be considered a material breach of contract requirements. Remedies for such a breach may include: withholding progress payments; foregoing remaining contract options; and potentially terminating the contract in part or in whole.”

It continues: “Contracting Officers should consult with legal counsel as well as the program office or requiring activity to discuss appropriate remedies for the specific circumstances surrounding individual contracts.”

Bostjanick spoke at a CMMC event hosted by PreVeil with company co-founder and chairman Sanjeev Verma. Her remarks were followed by a presentation from DIBCAC officials Jennifer Henderson and William Spence, an overview of legal requirements for meeting NIST and CMMC standards from contracting attorney Robert Metzger, and a panel on lessons learned from the first voluntary assessments.

Bostjanick was recently promoted to chief of defense industrial base cybersecurity, expanding her portfolio within the office of the DOD CIO to liaison with other cybersecurity programs designed to help defense companies improve their cybersecurity posture including offerings from the DOD Cyber Crime Center (DC3) and Project Spectrum.

As part of the original CMMC rule, DOD set up requirements for defense contractors to submit scores showing their NIST 800-171 compliance to a centralized Pentagon database. It also gave DOD the ability to review the scores through conducting Medium and High assessments on specific contractors.

Those assessments are conducted through DCMA’s Defense Industrial Base Cybersecurity Assessment Center. Henderson and Spence explained some of the common requirements from NIST 800-171 that companies are struggling to meet under the Medium assessment.

The DIBCAC is also responsible for doing CMMC assessments for certified third-party assessment organizations and overseeing joint surveillance voluntary assessments on defense contractors conducted in cooperation with C3PAOs.

Bostjanick said three companies have passed assessments under the joint surveillance program and the process is “working well.” The new program has become a “well-oiled machine,” Bostjanick said.

DOD plans to allow companies that pass a joint voluntary assessment to convert their DIBCAC High to a CMMC certification once the CMMC rule takes effect. Bostjanick said the expectation is the converted certification will last for three years and companies will be required to submit an annual affirmation that they are compliant with CMMC.